Android, Java bug bunting tool Mariana Trench goes open source

Facebook has released the Mariana Trench bug hunting software to the open source community.

This week, Dominik Gabi, Facebook software engineer said in a blog post that Mariana Trench was originally an internal tool for the company’s security engineers but has now been released to the public “to help scale security through building automation.”

Mariana Trench (MT) is a tool for finding vulnerabilities in Android and Java, with a particular focus on examining code in Android applications. According to the tech giant, MT is able to scan “large mobile codebases” and will alert users to potential security problems found in the code by analyzing data flows prior to production. 

MT hones in on data flows as a common source for bugs, whether this is due to incorrect data exposure or collection, or if they contain flaws that allow for the injection of malicious packages. MT scans the source of information and its sinks, tracking possible paths and then will compute models using static analysis to hunt for errors and issues in the codebase.

“A security engineer would start by broadly defining the boundaries of the data flows she is interested in scanning the codebase for,” Facebook explained. “If she wants to find SQL injections, she would need to specify where user-controlled data is entering the code, and where it is not meant to go. However, this is only the start — defining a rule connecting the two is not enough. Engineers also have to review the identified issues and refine the rules until the results are sufficiently high-signal.”

Facebook warns that this tool is only one addition to a security engineer’s arsenal, and false positives prior to production need to be considered. 

“In using MT at Facebook, we prioritize finding more potential issues, even if it means showing more false positives,” the company says. “This is because we care about edge cases: data flows that are theoretically possible and exploitable but rarely happen in production.”

MT is now available on GitHub and a binary distribution has also been released on PyPI. In addition, Facebook has released the Static Analysis Post Processor (SAPP), an analysis tool for analyzing MT results. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Note: This article have been indexed to our site. We do not claim ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
World's largest laptop vendor quietly releases robot with six legs — Lenovo Daystar Bot GS is IP-rated and reminds us of Boston Dynamics' andro-dogs thumbnail

World’s largest laptop vendor quietly releases robot with six legs — Lenovo Daystar Bot GS is IP-rated and reminds us of Boston Dynamics’ andro-dogs

(Image credit: Lenovo) There can’t be many people who haven’t seen at least one video of Boston Dynamics' robot dog Spot performing tricks like going up and down stairs, spinning, dancing, jumping, and carrying objects. The robot isn’t just for fun however. It can be used for a variety of work tasks, such as inspecting
Read More

Enterprise compliance confusion stunts growth, survey finds

October 1, 2021 2:20 PM Image Credit: Getty Images The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now! The Harris Poll last week revealed nearly two-thirds (63%) of organizations see compliance issues as a critical barrier to growth. The study surveyed 305 enterprise compliance leaders in highly regulated industries,…
Read More

Xinxiang Technology Secures Several Hundred Million Yuan in Round A+ Financing

(Source: Pexels) Your browser doesn’t support HTML5 audio Wuxi Xinxiang Information Technology Co., Ltd., a provider of computer-integrated manufacturing (CIM) systems for semiconductor factories, recently raised several hundred million yuan in Series A+ financing. The lead investor was Bohai Industrial Investment Fund Management Co., Ltd., and co-investors were Guolian Xinchuang, South China Venture Capital and…
Read More
T-Mobile Increases Its Unlocking Period to 365 Days: FCC Unhappy thumbnail

T-Mobile Increases Its Unlocking Period to 365 Days: FCC Unhappy

T-Mobile recently doubled the unlocking period of its prepaid Metro unit from 180 days to 360 days. The FCC is not happy with this decision, even though T-Mobile is not breaking any rules right now. The timing of T-Mobile’s decision coincides with the FCC’s decision to mandate a 60-day locking period for every mobile carrier.
Read More
15-inch MacBook Air has reportedly received weak demand thumbnail

15-inch MacBook Air has reportedly received weak demand

It looks like Apple has once again hit a snag on one of its latest product – the 15-inch MacBook Air, while it is being hailed as the most important MacBook in the lineup and highly commended by reviewers, DIGITIMES has reported that Apple has ordered its supply chain to put the shipments on hold
Read More
Index Of News
Total
0
Share